You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
501 lines
12 KiB
Nix
501 lines
12 KiB
Nix
{ config
|
|
, lib
|
|
, pkgs
|
|
, ...
|
|
}:
|
|
let
|
|
cfg = config.x-banananetwork.frontend;
|
|
in
|
|
{
|
|
|
|
|
|
options = {
|
|
|
|
x-banananetwork.frontend = {
|
|
|
|
enable = lib.mkEnableOption "frontend specific settings (highly opionated / customized)";
|
|
|
|
convertable = lib.mkEnableOption "convertable specific settings";
|
|
|
|
username = lib.mkOption {
|
|
description = "username of ego-centric single main primary user";
|
|
type = lib.types.str;
|
|
example = "username";
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
|
|
# TODO copy modem-manager overlay (for now)
|
|
|
|
|
|
# NixOS configuration
|
|
|
|
|
|
console = {
|
|
useXkbConfig = true;
|
|
};
|
|
|
|
|
|
environment = {
|
|
|
|
pathsToLink = [
|
|
"/share/zsh" # required for Home-Manager ZSH autocompletion, see https://github.com/nix-community/home-manager/blob/e1391fb22e18a36f57e6999c7a9f966dc80ac073/modules/programs/zsh.nix#L353
|
|
];
|
|
|
|
plasma6.excludePackages = with pkgs.kdePackages; [
|
|
baloo # do not need an indexer, which runs at arbitarily times
|
|
];
|
|
|
|
};
|
|
|
|
|
|
hardware = {
|
|
|
|
bluetooth = {
|
|
enable = true;
|
|
powerOnBoot = true;
|
|
};
|
|
|
|
gpgSmartcards.enable = true; # scdaemon
|
|
|
|
graphics.required = true;
|
|
|
|
opengl = {
|
|
enable = true;
|
|
driSupport = true;
|
|
};
|
|
|
|
usb-modeswitch.enable = true; # for specific WLAN/WWAN cards
|
|
|
|
};
|
|
|
|
|
|
home-manager = {
|
|
|
|
useGlobalPkgs = true;
|
|
useUserPackages = true;
|
|
|
|
extraSpecialArgs = {
|
|
nixosConfig = config;
|
|
};
|
|
users."${cfg.username}" = import ./home.nix;
|
|
|
|
};
|
|
|
|
|
|
networking = {
|
|
|
|
firewall = {
|
|
trustedInterfaces = with lib.lists; flatten [
|
|
(optional config.services.tailscale.enable "tailscale0")
|
|
];
|
|
};
|
|
|
|
networkmanager.enable = true;
|
|
|
|
nftables.enable = true;
|
|
|
|
};
|
|
|
|
|
|
nix.settings = {
|
|
builders-use-substitutes = lib.mkDefault true;
|
|
};
|
|
|
|
|
|
programs = {
|
|
|
|
captive-browser = {
|
|
enable = true;
|
|
bindInterface = true;
|
|
};
|
|
|
|
firefox = {
|
|
enable = true;
|
|
policies = {
|
|
Cookies = {
|
|
Behavior = "reject-tracker-and-partition-foreign";
|
|
BehaviorPrivateBrowsing = "reject-tracker-and-partition-foreign";
|
|
Locked = true;
|
|
};
|
|
DisablePocket = true;
|
|
DisableSetDesktopBackground = true;
|
|
EnableTrackingProjection = {
|
|
Value = true;
|
|
Locked = true;
|
|
Cryptomining = true;
|
|
Fingerprinting = true;
|
|
};
|
|
EncryptedMediaExtensions = {
|
|
Enabled = true;
|
|
};
|
|
ExtensionSettings =
|
|
let
|
|
# TODO upstream
|
|
addon = id: opts: {
|
|
name = id;
|
|
value = {
|
|
default_area = "menupanel";
|
|
installation_mode = "force_installed";
|
|
install_url = "https://addons.mozilla.org/firefox/downloads/latest/${id}/latest.xpi";
|
|
} // opts;
|
|
};
|
|
enrichAddons = id: opts: if id == "*" then opts else (addon id opts).value;
|
|
in
|
|
builtins.mapAttrs enrichAddons {
|
|
"*" = {
|
|
blocked_install_message = ''
|
|
Please add add-ons by changing your NixOS configuration.
|
|
'';
|
|
installation_mode = "blocked";
|
|
};
|
|
# Cast Kodi
|
|
"castkodi@regseb.github.io" = { };
|
|
# DeArrow
|
|
"deArrow@ajay.app" = { };
|
|
# KeePassXC-Browser
|
|
"keepassxc-browser@keepassxc.org" = {
|
|
default_area = "navbar";
|
|
};
|
|
# LibRedirect
|
|
"7esoorv3@alefvanoon.anonaddy.me" = { };
|
|
# Link Gopher
|
|
"linkgopher@oooninja.com" = { };
|
|
# ProtonDB for Steam
|
|
"{30280527-c46c-4e03-bb16-2e3ed94fa57c}" = { };
|
|
# Refined GitHub
|
|
"{a4c4eda4-fb84-4a84-b4a1-f7c1cbf2a1ad}" = { };
|
|
# Request Control
|
|
"{1b1e6108-2d88-4f0f-a338-01f9dbcccd6f}" = {
|
|
default_area = "navbar";
|
|
};
|
|
# SponsorBlock
|
|
"sponsorBlocker@ajay.app" = { };
|
|
# SteamDB
|
|
"firefox-extension@steamdb.info" = { };
|
|
# Tab Stash
|
|
"tab-stash@condordes.net" = {
|
|
default_area = "navbar";
|
|
};
|
|
# Tabliss
|
|
"extension@tabliss.io" = { };
|
|
# uBlock Origin
|
|
"uBlock0@raymondhill.net" = {
|
|
default_area = "navbar";
|
|
};
|
|
};
|
|
FirefoxHome = {
|
|
Search = true;
|
|
TopSites = true;
|
|
SponsoredTopSites = false;
|
|
Highlights = false;
|
|
Pocket = false;
|
|
SponsoredPocket = false;
|
|
Snippets = true;
|
|
Locked = true;
|
|
};
|
|
HttpAllowList = [
|
|
"http://hatoria:8088"
|
|
"http://penny:8123"
|
|
];
|
|
HttpsOnlyMode = "force_enabled";
|
|
NetworkPrediction = false;
|
|
NoDefaultBookmarks = true;
|
|
OfferToSaveLogins = false;
|
|
OverrideFirstRunPage = "";
|
|
OverridePostUpdatePage = "";
|
|
Permissions = {
|
|
Autoplay = {
|
|
Default = "block-audio-video";
|
|
};
|
|
Location = {
|
|
BlockNewRequests = true;
|
|
Locked = true;
|
|
};
|
|
};
|
|
PopupBlocking = {
|
|
Allow = [
|
|
"https://app.roll20.net"
|
|
];
|
|
Default = true;
|
|
Locked = true;
|
|
};
|
|
PostQuantumKeyAgreementEnabled = true;
|
|
# Preferences set by ..preferences below
|
|
PrimaryPassword = true;
|
|
SearchBar = "unified";
|
|
SearchEngines = {
|
|
# TODO setting search engines here only works on ESR
|
|
Default = "DuckDuckGo";
|
|
};
|
|
ShowHomeButton = false;
|
|
UserMessaging = {
|
|
ExtensionRecommendations = false;
|
|
FeatureRecommendations = false;
|
|
UrlbarInterventions = false;
|
|
SkipOnboarding = true;
|
|
MoreFromMozilla = false;
|
|
Locked = true;
|
|
};
|
|
};
|
|
preferences = {
|
|
"accessibility.typeaheadfind.flashBar" = 0;
|
|
"browser.aboutConfig.showWarning" = false;
|
|
"browser.language.detectLanguage" = false;
|
|
"browser.search.suggest.enabled" = false;
|
|
"browser.startup.page" = 3; # restore previous session
|
|
"browser.urlbar.showSearchSuggestionsFirst" = false;
|
|
"print.more-settings.open" = true;
|
|
"security.insecure_connection_text.enabled" = true;
|
|
};
|
|
};
|
|
|
|
gamemode = {
|
|
enable = true;
|
|
enableRenice = true;
|
|
settings = {
|
|
general = {
|
|
renice = 5;
|
|
};
|
|
};
|
|
};
|
|
|
|
kdeconnect = {
|
|
enable = true;
|
|
};
|
|
|
|
light.enable = true;
|
|
|
|
mosh = {
|
|
# requires testing & so on
|
|
enable = true;
|
|
openFirewall = false; # technically requires this
|
|
};
|
|
|
|
nix-index = {
|
|
# seems to much hazzle to setup & use for now
|
|
enable = false;
|
|
};
|
|
|
|
rust-motd = {
|
|
enable = true;
|
|
order = [
|
|
"banner"
|
|
"uptime"
|
|
"memory"
|
|
"filesystems"
|
|
"service_status"
|
|
"last_login"
|
|
];
|
|
settings = {
|
|
banner =
|
|
let
|
|
hostName = config.networking.hostName;
|
|
figlet = pkgs.runCommandLocal "static-figlet-${hostName}" { } ''
|
|
echo '${hostName}' | ${pkgs.figlet}/bin/figlet -f slant > $out
|
|
'';
|
|
in
|
|
{
|
|
color = lib.mkDefault "red";
|
|
command = "cat ${figlet}";
|
|
};
|
|
filesystems = {
|
|
root = "/";
|
|
home = "/home";
|
|
nix = "/nix";
|
|
};
|
|
last_login = {
|
|
"${cfg.username}" = 3;
|
|
};
|
|
memory.swap_pos = "beside";
|
|
service_status = {
|
|
# TODO automate
|
|
Tailscale = "tailscale.service";
|
|
};
|
|
uptime.prefix = "Up";
|
|
};
|
|
};
|
|
|
|
steam = {
|
|
enable = true;
|
|
localNetworkGameTransfers.openFirewall = true;
|
|
remotePlay.openFirewall = true;
|
|
};
|
|
|
|
tmux = {
|
|
plugins = with pkgs.tmuxPlugins; [
|
|
# custom plugins, TODO overlay
|
|
(mkTmuxPlugin {
|
|
pluginName = "zocker";
|
|
version = "unstable-2019-11-07";
|
|
src = pkgs.fetchFromGitea {
|
|
domain = "git.banananet.work";
|
|
owner = "zocker";
|
|
repo = "tmux-custom";
|
|
rev = "f9bafb8b29fad4b1ba77994540f069a49bb10e38";
|
|
hash = "sha256-v0zkIqYnFYDcwgkjrRbOH2AXWUm1RXvFbcbQB/N1lzo=";
|
|
};
|
|
})
|
|
];
|
|
};
|
|
|
|
usbtop.enable = true;
|
|
|
|
wireshark.enable = true;
|
|
|
|
ydotool.enable = true;
|
|
|
|
};
|
|
|
|
|
|
security = {
|
|
|
|
rtkit.enable = lib.mkIf config.services.pipewire.enable true;
|
|
|
|
};
|
|
|
|
|
|
services = {
|
|
|
|
desktopManager.plasma6 = {
|
|
enable = true;
|
|
};
|
|
|
|
displayManager.sddm = {
|
|
enable = true;
|
|
};
|
|
|
|
fail2ban = {
|
|
# SSH managed by default
|
|
enable = true;
|
|
ignoreIP = lib.mkIf config.services.tailscale.enable [
|
|
"100.64.0.0/10"
|
|
"fd7a:115c:a1e0::/96"
|
|
];
|
|
bantime = "10m";
|
|
bantime-increment = {
|
|
enable = true;
|
|
maxtime = "48h";
|
|
overalljails = true;
|
|
};
|
|
};
|
|
|
|
hardware = {
|
|
bolt.enable = true; # Thunderbolt
|
|
};
|
|
|
|
openssh = {
|
|
enable = true;
|
|
authorizedKeysInHomedir = true;
|
|
authorizedKeysOnly = true;
|
|
openFirewall = true;
|
|
settings = {
|
|
PermitRootLogin = "no";
|
|
};
|
|
};
|
|
|
|
pipewire = {
|
|
enable = true;
|
|
audio.enable = true;
|
|
alsa.enable = true;
|
|
alsa.support32Bit = true;
|
|
pulse.enable = true;
|
|
};
|
|
|
|
printing = {
|
|
enable = true;
|
|
cups-pdf = {
|
|
enable = true;
|
|
};
|
|
stateless = true; # test
|
|
};
|
|
|
|
pcscd.enable = true;
|
|
|
|
tailscale = {
|
|
enable = true;
|
|
useRoutingFeatures = "client";
|
|
extraUpFlags = [
|
|
# TODO with next upgrade, use extraSetFlags
|
|
"--operator=${cfg.username}"
|
|
"--accept-dns=true"
|
|
"--accept-routes=true"
|
|
"--exit-node=prox-vm134"
|
|
"--exit-node-allow-lan-access=true"
|
|
];
|
|
};
|
|
|
|
udisks2 = {
|
|
enable = true;
|
|
};
|
|
|
|
xserver = {
|
|
enable = true;
|
|
xkb = {
|
|
layout = "de";
|
|
variant = "neo_qwertz";
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
|
|
users = {
|
|
|
|
users."${cfg.username}" = {
|
|
description = "${cfg.username}";
|
|
extraGroups = with lib.lists; flatten [
|
|
(optional config.networking.networkmanager.enable "networkmanger")
|
|
"wheel"
|
|
];
|
|
isNormalUser = true;
|
|
openssh.authorizedKeys.keys = config.x-banananetwork.sshPublicKeys;
|
|
packages = with pkgs; lib.lists.flatten [
|
|
kdePackages.kate
|
|
(lib.lists.optional cfg.convertable [
|
|
maliit-keyboard # on-screen keyboard (should just work, see https://discuss.kde.org/t/how-to-enable-virtual-keyboard-included-in-kde/264/2)
|
|
])
|
|
];
|
|
};
|
|
|
|
};
|
|
|
|
|
|
x-banananetwork = {
|
|
|
|
allCommon.enable = true;
|
|
|
|
autoUnfree = {
|
|
enable = true;
|
|
# TODO merge with nixos-modules/frontend/home.nix
|
|
packages = with pkgs.mpvScripts; [
|
|
evafast
|
|
];
|
|
};
|
|
|
|
hwCommon.enable = lib.mkDefault true;
|
|
privacy.enable = lib.mkDefault true;
|
|
useable.enable = true;
|
|
|
|
};
|
|
|
|
|
|
# TODO wishlist:
|
|
# - enable & disable touch keyboard automatically based on convertable status
|
|
# - https://github.com/cynicsketch/nix-mineral (NixOS hardening)
|
|
# - programs.mepo
|
|
# - programs.autojump
|
|
# - programs.yubikey-touch-detector
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|